[security] MyOpenID

Matt Pelletier matt at eastmedia.com
Wed Mar 21 10:48:00 PDT 2007 

On Mar 21, 2007, at 9:33 AM, <gaz_sec at hushmail.com>  
<gaz_sec at hushmail.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi everyone
>
> I've found 2 problems with the MyOpenID.com site, I've contacted
> them to report the problem but I also believe there is a problem
> with how OpenID itself works. I've been told many times that it
> isn't a specific problem with OpenID on another list but I'm pretty
> sure it is.
>
> I don't know what the position is on disclosure so I thought I
> would just describe what is possible on the MyOpenID site and see
> if the problem has been encountered before.
>
> 1. First of all if you sign into a OpenID server in this case
> (MyOpenID.com) then logon to an OpenID enabled site like
> (http://ficlets.com/) then sign out of the OpenID enabled site. It
> is possible to log them back onto the site from any remote web site.

Which is the last 'the site' you're referring to, the Relying Party  
(e.g. ficlets)? Take a look at the Single Sign Out topics that have  
been discussed on the OpenID lists. Do you have a step by step  
walkthrough example?

>
> 2. The second problem is more serious you can create a specially
> crafted web page to automatically log on to a web site and also add
> that web site to the allow forever trusted site. The only
> requirement is that you have to be logged onto the OpenID server.

How would you do this? Do you have an example?

>
> Both cases can be prevented if the OpenID specification requires
> authorisation regardless of a cached token.

That would defeat the purpose of some of the key benefits. I'd like  
to know more about which specific issues you're referring to.

Thanks,
Matt

>
> Cheers
>
> Gareth
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at https://www.hushtools.com/ 
> verify
> Version: Hush 2.5
>
> wpwEAQECAAYFAkYBNAoACgkQrR8fg3y/m1BUeAQAlXk1/BfVU5InHjrrQ6uRP/EpPnMF
> XcQiIgRnPW+QVwlMkyXIFtjx112xT4BlaNrueKed2YUipfNdL9x+XEYGvRj+1qQTESAH
> vfV891koLJyiGPUC/keiTsDnGxJt6CesrFVzXXyVQXLRPk8AgeAUaBy1UvbP0zMxNkrP
> dW0wgjo=
> =68JR
> -----END PGP SIGNATURE-----
>
> --
> Click for  FHA loan, $0 lender fees, low rates & approvals nationwide
> http://tagline.hushmail.com/fc/CAaCXv1KYDvIFdAGCheS3qVfPXuAy8Jc/
>
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security

------------------
Matt Pelletier
http://www.eastmedia.com -- EastMedia
http://www.informit.com/title/0321483502 -- The Mongrel Book
http://identity.eastmedia.com -- OpenID, Identity 2.0

More information about the security mailing list